nftables mangling without NOTRACK: what can happen?

Einheri asked:

I’m experimenting with stateless NAT using nftables. On the page about statelessly mangling protocol fields, the author says:

Keep in mind the interactions with conntrack, flows with mangled traffic must be untracked

Out of curiosity, what are some of the bad things that can happen if I fail to do this? I can’t seem to find any information on this point.

My answer:


Connection tracking starts before the mangle table is processed, so the tracked connection would not match the mangled packets, making it useless at best or blocking connectivity at worst.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.